#+AUTHOR:Joshua Branson
#+TITLE: Let's Encrypt & Certbot
#+LATEX_HEADER: \usepackage{lmodern}
#+LATEX_HEADER: \usepackage[QX]{fontenc}
#+OPTIONS: H:10 toc:nil

* Let's Encrypt & Certbot

All websites should be encrypted using https!  Many are not.  If you
are not encrypting our websites, then users data can be leaked to
anyone.  If you would like your website to appear high on Google's
search results, and you care about user privacy online, then you
should try "Let's Encrypt".  Let's Encrypt is a free certificate
authority, and everybody should use it!

In order to start using let's encrypt, you need to prove to the "Let's
Encrypt" people that you actually own your website.  "Certbot" is a
program that will help you do this.  Certbot can generate a
certificate for you, and create a secret file on your webserver.
Certbot then will navigate to that file to check that you actually own
the website.  Then your certificate will work.

You will also have to automatically renew your certificates.  Certbot
can periodically renew your certificates for you.

As of [2018-04-09 Mon], the nginx plugin to certbot does not support
confirming that I control a domain.  For example, when I try to do
that I get this error:

#+BEGIN_SRC sh :results output :exports both :dir /ssh:root@richardrahl:/var/www/html/gnucode.me/public_html/
sudo certbot --nginx -d gnucode.me -d www.gnucode.me
#+END_SRC

#+RESULTS:
sudo: unable to resolve host RichardRahl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

So I have to use the webroot command.  This command can be an authenticator and an installer?

certbot [subcommand] [options]

** Vocab

- authenticators

  Authenticators verify that you can change content on your website.  The subcommand certonly is an authenticator.

  Authenticators install the certificate, confirms that you own your domain, but does not edit your nginx or apache's files.  Certbot can issue a single certificate to use for all of your domains, but you need to specify all of the domains.

  It installs the certificate in the /etc/letsencrypt/ directory.  You could use a symlink to point to the certificate.

- installers
  Installers are plugins that use the install command to modify your nginx config file to serve the certificate.

** Installing certbot on an nginx server when the nginx plugin doesn't work:

This authenticates two domains:  gnusites.com and gnucode.me

sudo certbot certonly --webroot -w /var/www/html/gnusites.com/public_html/ -d www.gnusites.com -d gnusites.com -w /var/www/html/gnucode.me/public_html/ -d www.gnucode.me -d gnucode.me

The output of the command tells me:

sudo: unable to resolve host richardrahl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.gnusites.com
http-01 challenge for gnusites.com
http-01 challenge for www.gnucode.me
http-01 challenge for gnucode.me
Using the webroot path /var/www/html/gnucode.me/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.gnusites.com/fullchain.pem. Your cert
   will expire on 2018-07-08. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


It should have created a temporary file at ${webroot-path}/.well-known/acme-challenge

Nginx tells me that gnusites.com/.well-known/acme-challenge does not exist.

Wordpress tells me that gnucode.me/.well-known/acme-challenge cannot be found.

The command tells me that it challenged www.gnusites.com, gnusite.com, gnucode.me, and www.gnucode.me.

** Trying out the certificate

I'm getting weird errors.  Gnusites is encrypted, but https://gnucode.me is serving gnusites...?

gnusites.com works just fine.

Here is the code that I pulled from this online tutorial:  https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

#+BEGIN_SRC sh :results output :exports both :dir /ssh:joshua@richardrahl:/var/www/html/gnucode.me/public_html/
grep "RSA"  -A 10   /etc/nginx/sites-enabled/gnusites.com
#+END_SRC

#+RESULTS:
#+begin_example
    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/www.gnusites.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.gnusites.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

#+end_example

* setting up certbot for laundrysucks io

joshua@richardrahl:/var/www/html/laundrysucks.io/public_html$ sudo certbot certonly --webroot -w /var/www/html/laundrysucks.io/public_html/ -d laundrysucks.io
sudo: unable to resolve host richardrahl
[sudo] password for joshua:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for laundrysucks.io
Using the webroot path /var/www/html/laundrysucks.io/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/laundrysucks.io/fullchain.pem. Your cert will
   expire on 2018-08-18. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

* setting up certbot for gnu-hurd.com

joshua@richardrahl:/var/www/html/gnu-hurd.com/.well-known$ sudo certbot certonly --webroot -w /var/www/html/gnu-hurd.com/public_html/ -d gnu-hurd.com -d www.gnu-hurd.com
sudo: unable to resolve host richardrahl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gnu-hurd.com
http-01 challenge for www.gnu-hurd.com
Using the webroot path /var/www/html/gnu-hurd.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/gnu-hurd.com/fullchain.pem. Your cert will
   expire on 2018-08-19. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

* online manual https://certbot.eff.org/docs/using.html


#+BEGIN_SRC sh :results output :exports both :dir /ssh:joshua@richardrahl:/home/joshua
ls
#+END_SRC

#+RESULTS:
: dead.letter  grep


#+BEGIN_SRC sh :results output :exports both :dir /ssh:joshua@richardrahl:/home/joshua
cat grep
#+END_SRC

#+RESULTS:


#+BEGIN_SRC sh :results output :exports both :dir /ssh:joshua@richardrahl:/home/joshua
rm grep
#+END_SRC

#+RESULTS:


#+BEGIN_SRC sh :results output :exports both :dir /ssh:joshua@richardrahl:/home/joshua
ls
#+END_SRC

#+RESULTS:
: dead.letter
* webroot

This gets a certificate for a website the specific spot you have
certbot certonly --webroot -w /var/www/html/matomo/public_html -d www.gnucode.me -d gnucode.me
* revoking a certificate

=certbot revoke --cert-path  /path/to/certificate=
* adding a domain to a certificate.

This command expands a certificate to include a new domain name.  existing.com and www.existing.com were domains that the certificate already had.  But I added the two domains: blog.existing.com and www.blog.existing.com.
=certbot --cert-name existing.com -d existing.com,www.existing.com,blog.existing.com,www.blog.existing.com=
